As more and more computers, and other computing devices, are inter-connected through various networks, such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, even misuse/abuse of legitimate computer system features, all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will realize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all of these attacks will be generally referred to hereafter as computer exploits, or more simply, exploits.
When a computer system is attacked or “infected” by a computer exploit, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer system; or causing the computer system to crash. Yet another pernicious aspect of many, though not all, computer exploits is that an infected computer system is used to infect other computers.
FIG. 1 is a pictorial diagram illustrating an exemplary networked environment 100 over which a computer exploit is commonly distributed. As shown in FIG. 1, the typical exemplary networked environment 100 includes a plurality of computers 102-108 all inter-connected via a communication network 110, such as an intranet or via a larger communication network including the global TCP/IP network commonly referred to as the Internet. For whatever reason, a malicious party on a computer connected to the network 110, such as computer 102, develops a computer exploit 112 and releases it on the network. The released computer exploit 112 is received by, and infects, one or more computers, such as computer 104, as indicated by arrow 114. As is typical with many computer exploits, once infected, computer 104 is used to infect other computers, such as computer 106 as indicated by arrow 116, which in turn infects yet other computers, such as computer 108 as indicated by arrow 118. Clearly, due to the speed and reach of the modern computer networks, a computer exploit 112 can “grow” at an exponential rate, and quickly become a local epidemic that quickly escalates into a global computer pandemic.
A traditional defense against computer exploits, and particularly computer viruses and worms, is anti-virus software. Generally, anti-virus software scans incoming data, arriving over a network, looking for identifiable patterns associated with known computer exploits. Upon detecting a pattern associated with a known computer exploit, the anti-virus software may respond by removing the computer virus from the infected data, quarantining the data, or deleting the “infected” incoming data. Unfortunately, anti-virus software typically works with “known,” identifiable computer exploits. Frequently, this is done by matching patterns within the data to what is referred to as a “signature” of the exploit. One of the core deficiencies in this exploit detection model is that an unknown computer exploit may propagate unchecked in a network until a computer's anti-virus software is updated to identify and respond to the new computer exploit.
As anti-virus software has become more sophisticated and efficient at recognizing thousands of known computer exploits, so too have the computer exploits become more sophisticated. For example, many recent computer exploits are now polymorphic, or in other words, have no identifiable pattern or “signature” by which they can be recognized by anti-virus software in transit. These polymorphic exploits are frequently unrecognizable by anti-virus software because they modify themselves before propagating to another computer system.
Another defense that is common today in protecting against computer exploits is a hardware or software network firewall. As those skilled in the art will recognize, a firewall is a security system that protects an internal network from unauthorized access originating from external networks by controlling the flow of information between the internal network and the external networks. All communications originating outside of the firewall are first sent to a proxy that examines the communication, and determines whether it is safe or permissible to forward the communication to the intended target. Unfortunately, properly configuring a firewall so that permissible network activities are uninhibited and that impermissible network activities are denied is a sophisticated and complicated task. In addition to being technically complex, a firewall configuration is difficult to manage. When firewalls are improperly configured, permissible network traffic may be inadvertently shut down and impermissible network traffic may be allowed through, compromising the internal network. For this reason, changes to firewalls are generally made infrequently, and only by those well versed in the subject of technical network design.
As yet a further limitation of firewalls, while a firewall protects an internal network, it does not provide any protection for specific computers. In other words, a firewall does not adapt itself to a specific computer's needs. Instead, even if a firewall is used to protect a single computer, it still protects that computer according to the firewall's configuration, not according to the single computer's configuration.
Yet another issue related to firewalls is that they do not provide protection from computer exploits originating within the borders established by a firewall. In other words, once an exploit is able to penetrate the network protected by a firewall, the exploit is uninhibited by the firewall. This situation frequently arises when an employee takes a portable computer home (i.e., outside of the corporate firewall protection) and uses it at home in a less secured environment. Unknown to the employee, the portable computer is then infected. When the portable computer is reconnected to the corporate network within the protection of the firewall, the exploit is often free to infect other computers unchecked by the firewall.
As mentioned above, computer exploits now also leverage legitimate computer system features in an attack. Thus, many parties other than firewall and anti-virus software providers must now join in defending computers from these computer exploits. For example, operating system providers must now, for economic and contractual reasons, continually analyze their operating system functions to identify weaknesses or vulnerabilities that may be used by a computer exploit. For purposes of the present discussion, any avenue by which a computer exploit may attack a computer system will be generally referred to as a computer system vulnerability, or simply a vulnerability.
As vulnerabilities are identified and addressed in an operating system, or other computer system components, drivers, applications, the provider will typically release a software update to remedy the vulnerability. These updates, frequently referred to as patches, should be installed on a computer system in order to secure the computer system from the identified vulnerabilities. However, these updates are, in essence, code changes to components of the operating system, device drivers, or software applications. As such, they cannot be released as rapidly and freely as anti-virus updates from anti-virus software providers. Because these updates are code changes, the software updates require substantial in-house testing prior to being released to the public. Unfortunately, even with in-house testing, a software update may cause one or more other computer system features to break or malfunction. Thus, software updates create a huge dilemma to parties that rely upon the computer systems. More specifically, does a party update their computer systems to protect them from the vulnerability and risk disrupting their computer systems' operations, or does the party refrain from updating their computer systems and run the risk that their computer systems may be infected?
Under the present system, there is a period of time, referred to hereafter as a vulnerability window, that exists between when a new computer exploit is released on the network 110 and when a computer system is updated to protect it from the computer exploit. As the name suggests, it is during this vulnerability window that a computer system is vulnerable, or exposed, to the new computer exploit. FIGS. 2A-2B are block diagrams of exemplary timelines illustrating this vulnerability window. In regard to the following discussions regarding timelines, significant times or events will be identified and referred to as events in regard to a timeline.
FIG. 2A illustrates a vulnerability window of computer systems with regard to one of the more recent, sophisticated class of computer exploits that are now being released on public networks. As will be described below, this new class of computer exploits take advantage of a system provider's proactive security measures to identify computer system vulnerabilities, and subsequently, create and deliver a computer exploit.
With reference to FIG. 2A, at event 202, an operating system provider identifies the presence of a vulnerability in the released operating system. For example, in one scenario, the operating system provider, performing its own internal analysis of a released operating system, uncovers a previously unknown vulnerability that could be used to attack a computer system. In an alternative scenario, the previously unknown vulnerability is discovered by third parties, including organizations that perform system security analyses on computer systems, and relays information regarding the vulnerability to the operating system provider.
Once the operating system provider is aware of the presence of the security vulnerability, the operating system provider addresses the vulnerability which, at event 204, leads to the creation and release of a patch to secure any computer systems running the operating system. Typically, an operating system provider will make some type of announcement that there is a system patch available, along with a recommendation to all operating system users to install the patch. The patch is usually placed in a known location on the network 110 for downloading and installation onto affected computer systems.
Unfortunately, as happens all too often, after the operating system provider releases the patch, at event 206, a malicious party downloads the patch and, using some reverse engineering as well as any information made public by the operating system or others, identifies the specifics regarding the “fixed” vulnerability in the operating system. Using this information, the malicious party creates a computer exploit to attack the underlying vulnerability. At event 208, the malicious party releases the computer exploit onto the network 110. While the goal of issuing a software patch, also known as a “fix,” is to correct an underlying vulnerability, the “fix” is often a complex piece of software code which itself, unfortunately, may create or contain a new vulnerability that could be attacked by a computer exploit created by a malicious party. Thus, in addition to evaluating what the “fix” corrects, the “fix” is also evaluated for potential vulnerabilities.
While a “fix” is available, the malicious party realizes that, for various reasons including those described above, not every vulnerable computer system will be immediately upgraded. Thus, at event 208, the malicious party releases the computer exploit 112 onto the network 110. The release of the computer exploit 112 opens a vulnerability window 212, as described above, in which the vulnerable computer systems are susceptible to this computer exploit. Only when the patch is finally installed on a computer system, at event 210, is the vulnerability window 212 closed for that computer system.
While many computer exploits released today are based on known vulnerabilities, such as in the scenario described in regard to FIG. 2A, occasionally, a computer exploit is released on the network 110 that takes advantage of a previously unknown vulnerability. FIG. 2B illustrates a vulnerability window 230 with regard to a timeline 220 under this scenario. Thus, as shown on timeline 220, at event 222, a malicious party releases a new computer exploit. As this is a new computer exploit, there is neither an operating system patch nor an anti-virus update available to protect vulnerable computer systems from the attack. Correspondingly, the vulnerability window 230 is opened.
At some point after the new computer exploit is circulating on the network 110, the operating system provider and/or the anti-virus software provider detects the new computer exploit, as indicated by event 224. As those skilled in the art will appreciate, typically, the presence of the new computer exploit is detected within a matter of hours by both the operating system provider and the anti-virus software provider.
Once the computer exploit is detected, the anti-virus software provider can begin its process to identify a pattern, or “signature,” by which the anti-virus software may recognize the computer exploit. Similarly, the operating system provider begins its process to analyze the computer exploit to determine whether the operating system must be patched to protect it from the computer exploit. As a result of these parallel efforts, at event 226, the operating system provider and/or the anti-virus software provider releases an update, i.e., a software patch to the operating system or an anti-virus update, which addresses the computer exploit. Subsequently, at event 228, the update is installed on a user's computer system, thereby protecting the computer system and bringing the vulnerability window 230 to a close.
As can be seen from the examples above, which are only representative of all of the possible scenarios in which computer exploits pose security threats to a computer system, a vulnerability window exists between the times that a computer exploit 112 is released on a network 110, and when a corresponding update is installed on a user's computer system to close the vulnerability window. Sadly, whether the vulnerability window is large or small, an infected computer costs the computer's owner substantial amounts of money to “disinfect” and repair, if it is at all possible. This cost can be enormous when dealing with large corporations or entities that may have thousands or hundreds of thousands of devices attached to a network 110. Such a cost is further amplified by the possibility that such an exploit tamper or destroys customer data, all of which may be extremely difficult or impossible to trace and remedy. What is needed is a system and method for securing a computer system against computer exploits in a responsive manner and according to the individual computer system's needs, even before a protective update is available and/or installed on the computer system. These, and other issues found in the prior art, are addressed by the present invention.